1 / 49

Inside PK Cryptography: Math and Implementation

Inside PK Cryptography: Math and Implementation. Sriram Srinivasan (“Ram”) sriram@malhar.net. Agenda. Introduction to PK Cryptography Essential Number Theory Fundamental Number Theorem GCD, Euclid’s algorithm Linear combinations Modular Arithmetic Euler’s Totient Function

gale
Télécharger la présentation

Inside PK Cryptography: Math and Implementation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Inside PK Cryptography:Math and Implementation Sriram Srinivasan (“Ram”) sriram@malhar.net

  2. Agenda • Introduction to PK Cryptography • Essential Number Theory • Fundamental Number Theorem • GCD, Euclid’s algorithm • Linear combinations • Modular Arithmetic • Euler’s Totient Function • Java implementation of RSA Sriram Srinivasan

  3. Security Issues • Authentication, Authorization, and Encryption, Non-repudiation • Shared Secrets (e.g passwords, Enigma) • Something shared, something (else) secret • Concept by Ellis, Cocks and Williams • Popularly attributed to Diffie and Hellman • Algorithm by Rivest, Shamir and Adelman • Used everywhere: https, SSL, email, certificates. Sriram Srinivasan

  4. Public Key Cryptography • Consider a pair of magic pens. • Write with one, use the other to decode. • Symmetric: either can be used to encode • You want to send a message to me • You borrow one of my pens and write with it. • I decode it with my other pen. • Avoids problems of shared secrets • Same tools for authentication, encryption and non-repudiation. Sriram Srinivasan

  5. Mathematics

  6. Fundamental Theorem of Arithmetic • All numbers are expressible as a unique product of primes • 10 = 2 * 5, 60 = 2 * 2 * 3 * 5 • Proof in two parts • 1. All numbers are expressible as products of primes • 2. There is only one such product sequence per number Sriram Srinivasan

  7. Fundamental Theorem proof • First part of proof • All numbers are products of primes Let S = {x | x is not expressible as a product of primes} Let c = min{S}. c cannot be prime Let c = c1 . c2 c1, c2 < c Þ c1, c2Ï S (because c is min{S}) \ c1, c2 are products of primes Þ c is too \ S is an empty set Sriram Srinivasan

  8. Fundamental Theorem proof • Second part of proof • The product of primes is unique Let n = p1p2p3p4… = q1q2q3q4… Cancel common primes. Now unique primes on both sides Now, p1 | p1p2p3p4 Þ p1 | q1q2q3q4… Þp1 | one of q1, q2, q3, q4… Þ p1 = qi which is a contradiction Sriram Srinivasan

  9. GCD (Greatest Common Divisor) • gcd(a,b) = the greatest of the divisors of a,b • Many ways to compute gcd • Extract common prime factors • Express a, b as products of primes • Extract common prime factors • gcd(18, 66) = gcd(2*3*3, 2*3*11) = 2*3 = 6 • Factoring is hard. Not practical • Euclid’s algorithm Sriram Srinivasan

  10. Euclid’s algorithm a 1 b r = a % b b r1 = b % r 2 r r1 r r % r1 = 0. \ gcd (a,b) = r1 3 Sriram Srinivasan

  11. Euclid’s algorithm proof • Proof that r1 divides a and b r1 | r b = r1 + r r1 | b a = qb + r r1 | b r1 | r r1 | a Sriram Srinivasan

  12. Euclid’s algorithm proof (contd) • Proof that r1 is the greatest divisor Say, c | a and c | b c | qb + r c | r c | q’b + r1 c | r1 Sriram Srinivasan

  13. Linear Combination • ax + by = “linear combination” of a and b • 12x + 20y = {…, -12,-8,-4,0,4,8,12, … } • The minimum positive linear combination of a & b = gcd(a,b) • Proof in two steps: • 1. If d = min(ax+by) and d > 0, then d | a, d | b • 2. d is the greatest divisor. Sriram Srinivasan

  14. GCD & Linear combination (contd.) Let S = {z = ax + by | z > 0 } Let d = min{S} = ax1 + by1 Let a = qd + r. 0 <= r < d r = a - qd = a - q(ax1 + by1) r = a(1 - qx1) + (-qy1)b If r > 0, r ÎS But r < d, which is a contradiction, because d = min{S} \ r = 0 Þ d | a Sriram Srinivasan

  15. GCD & Linear combination (contd.) • Second part of proof • Any other divisor is smaller than d Let c | a, c | b, c > 0 a = cm, b = cn d = ax1 + by1 = c(mx1 + ny1) Þ c | d Þ d is the gcd Sriram Srinivasan

  16. Summary 1 • All numbers are expressible as unique products of prime numbers • GCD calculated using Euclid’s algorithm • gcd(a,b) = 1 Þa & b are mutually prime • gcd(a,b) equals the minimum positive ax+by linear combination Sriram Srinivasan

  17. Modular/Clock Arithmetic • 1:00 and 13:00 hours are the same • 1:00 and 25:00 hours are the same • 1 º 13 (mod 12) • a º b (mod n) • n is the modulus • a is “congruent” to b, modulo n • a - b is divisible by n • a % n = b % n Sriram Srinivasan

  18. Modular Arithmetic • a º b (mod n), c º d (mod n) • Addition • a + c ºb + d (mod n) • Multiplication • ac ºbd (mod n) a - b = jn c - d = kn a + c - (b + d) = (j + k) n Sriram Srinivasan

  19. Modular Arithmetic (contd.) • Power • a ºb (mod n) Þ akºbk (mod n) • Going n times around the clock • a + kn º b (mod n) Using induction, If ak º bk (mod n), a . ak º b . bk (mod n), by multiplication rule \ ak+1 ºbk+1 (mod n) Sriram Srinivasan

  20. Chinese Remainder Theorem • m º a (mod p), m º a (mod q) Þ m º a (mod pq) (p,q are primes) m-a = cp. Now, m-a is expressible as p1.p2 .p3 . . . If m - a is divisible by both p and q, p and q must be one of p1 ,p2 ,p3 Þ m - a is divisible by pq Sriram Srinivasan

  21. GCD and modulus • If gcd(a,n) = 1, and a = b (mod n),then gcd(b,n) = 1 a ºb (mod n) Þ a = b + kn gcd(a,n) = 1 ax1 + ny1 = 1, for some x1 and y1 (b + kn)x1 + ny1 = 1 bx1 + n(kx1 + y1) = bx1 + ny2 = 1 gcd(b,n) = 1 Sriram Srinivasan

  22. Multiplicative Inverse • If a, b have no common factors, there exists aisuch that a.aiº1 (mod b) • ai is called the “multiplicative inverse” gcd(a,b) = 1 = ax1+ by1, for some x1 and y1 ax1 = 1 – by1 ax1 = 1 + by2 (making y2 = -y1) ax1 - 1 = by2 ax1º1 (mod b) (x1 is the multiplicative inverse) Sriram Srinivasan

  23. Summary 2 • Modular arithmetic • Addition, multiplication, power, inverse • Chinese Remainder Theorem • If m  a (mod p) and m  a (mod q),then m  a (mod pq) • Relationship between gcd and modular arithmetic • gcd(a,b) = 1 Þaaiº 1 (mod b) Sriram Srinivasan

  24. Euler’s Totient function • f(n) = Totient(n) = Count of integers £ n coprime to n • f(10) = 4 (1, 3, 7, 9 are coprime to 10) • f(7) = 6 (1, 2, 3, 4, 5, 6 coprime to 10) • f(p) = p - 1, if p is a prime Sriram Srinivasan

  25. Totient lemma #2: product • f(pq) = (p - 1)(q - 1) = f(p) . f(q) • if p and q are prime Which numbers £ pq share factors with pq? 1.p, 2.p, 3.p, … (q-1)p and 1.q, 2.q, 3.q, … (p-1)q and pq The rest are coprime to pq. Count them. f(pq) = pq - (p - 1) - (q - 1) - 1 = (p - 1)(q - 1) Sriram Srinivasan

  26. Totient lemma #3: power • f(pk) = pk - pk-1 , if p is prime and k > 0 Only numbers that are a multiple of p have a common factor with pk : 1.p, 2.p, 3.p, … pk-1 . p and The rest don’t share any factors, so are coprime \ f(pk) = pk - pk-1 Sriram Srinivasan

  27. Totient lemma #4: product • f(mn) = f(m) . f(n) • if m and n are coprime ( gcd(m,n) = 1) Organize into a matrix of m columns, n rows 1 2 3 … r … m m+1 m+2 m+3 m+r … 2m 2m+1 2m+2 2m+3 2m+r … 3m … (n-1)m+1 (n-1)m+2 (n-1)m+3 (n-1)m+r nm Sriram Srinivasan

  28. Totient lemma #4 (contd.) • Step 1: Eliminate columns If gcd(m,r) = 1, gcd(m,km+r) = 1 Þ All cells under that rth column have no common factors with m Þ Others have a common factor with mn, so can be eliminated Þ f(m) columns survive Sriram Srinivasan

  29. Totient lemma #4 (contd.) • Step 2: Examine cells in remaining columns No two cells in a column are congruent mod n Because if im + r ºjm + r (mod n), im + r - jm - r = kn Þ n | (i - j), which is not possible because i - j < n Because there are n (non-congruent) cells in each column, label them as 0, 1, 2, … n-1 in some order. Þ f(n) cells in each column coprime to n Þ f(n) f(m) cells left that are coprime to both m and n Sriram Srinivasan

  30. Totient lemma #5 • If gcd(c,n) = 1 and x1,x2,x3 … xf(n) are coprime to n, then cx1,cx2,… cxf(n) are congruent to x1,x2,x3… in some order. • 1, 3, 5, 7 are coprime to 8. • Multiply each with c=15, (also coprime to 8) • {15, 45, 75, 105} º {7, 5, 3, 1} (mod 8) Sriram Srinivasan

  31. Totient lemma #5 (contd.) cxi is not º cxj (mod n). Because if cxiº cxj (mod n) Þ c(xi - xj) = kn . But gcd(c,n) = 1 Þ n | (xi - xj), which is impossible because xi - xj < n Remember the old identity: gcd(a,n) =1 and a º b (mod n) Þ gcd(b,n) = 1 Let cxi º b (mod n) gcd(cxi, n) = 1 Þ gcd(b,n) = 1 \ b must be one of xj Sriram Srinivasan

  32. Euler’s Theorem • If gcd(a,n) = 1, af(n) º 1 (mod n) Consider x1, x2, … xf(n) < n and coprime to n Since a is also coprime to n, from previous result ax1º xi (mod n), ax2º xj (mod n), … etc. Þ af(n) x1x2x3…xf(n) º x1x2x3…xf(n) (mod n) Þ af(n) x º x (mod n) where x = x1x2x3…xf(n) Þ n | x(af(n) - 1) But n doesn’t divide x Þ n | (af(n) - 1) Þ af(n) º 1 (mod n) Sriram Srinivasan

  33. Fermat’s little theorem • Special case of Euler’s theorem. • If gcd(a,p) = 1 and p is prime, ap-1 º 1 (mod p) • We now have all the essential number theory. Whew! Because f(p) = p - 1 Sriram Srinivasan

  34. RSA Algorithm • Bob generates public and private keys • public key : encrypting key e and modulus n • private key: decrypting key d and modulus n • Alice wants to send Bob a message m • m treated as a number • Alice encrypts m using Bob’s “public pen” • encrypted ciphertext, c = me (mod n) • Bob decrypts using his own private key • To decrypt, compute cd (mod n). Result is m Sriram Srinivasan

  35. RSA Key Generation • Bob selects primes p, q computesn = pq • f(n) = f(p) f(q) = (p - 1) (q - 1) • Select e, such that gcd(e, f(n)) = 1 • Compute the decrypting key, d, where • ed º 1 (mod f(n)) • Bob publishes public key info: e, n • Keeps private key: d, n • Important: m < n Sriram Srinivasan

  36. RSA Key Generation • Bob selects primes p, q computesn = pq • f(n) = f(p) f(q) = (p - 1) (q - 1) • Select e, such that gcd(e, f(n)) = 1 • Compute the decrypting key, d, where • ed º 1 (mod f(n)) • Bob publishes public key pair: e, n • Keeps private key: d, n p = 3, q = 11 Þ n = 33 f(n) = (3 - 1)(11 - 1) = 20 e = 7 7d = 1 (mod 20) Þ d = (1 + 20k)/7Þ d = 3 Public key = (7, 33) Private key = (3, 33) Sriram Srinivasan

  37. RSA algorithm • Treat each letter or block as m (m < n) • n = 33, e = 7, d = 3 • Encryption: for each m compute c=me (mod n) • Decryption: for each c, compute cd (mod n) “RSA” Þ {18, 19, 1} 187 % 33 Þ {6 197 % 33 Þ {6, 13 17 % 33 Þ {6, 13, 1} 63 % 33 Þ {18 133 % 33 Þ {18, 19 13 % 33 Þ {18, 19, 1} Sriram Srinivasan

  38. RSA proof • Prove c = me (mod n) Þ cd(mod n) = m Review: a º b (mod n) Þ akº bk (mod n) a < n Þ a = a (mod n) gcd(a,n) = 1 Þ af(n)º 1 (mod n) a (mod p) º a (mod q) º m = a (mod pq) f(pq) = f(p)f(q) ed º 1 (mod f(n) ) Þ ed = 1 + k f(n) Sriram Srinivasan

  39. RSA proof (contd.) c = me (mod n) Þ c º me (mod n) cd º med (mod n) Consider, med (mod p) and med (mod q) If p | m, med (mod p) = 0 = m (mod p) If not, med (mod p) º m1+kf (n) (mod p) º m. mkf (p) f (q) (mod p) º m. (mf (p)) kf (q) (mod p) º m. (1) kf (q) (mod p) (by euler) º m (mod p) Sriram Srinivasan

  40. RSA proof (contd.) So, in both cases, med º m (mod p) Similarly, med º m (mod q) \ med º m (mod pq) (chinese remainder theorem) º m (mod n) \ med (mod n) = m Sriram Srinivasan

  41. RSA Implementation • Creating a big random prime • n = pq • f(n) = (p - 1) (q - 1) SecureRandom r = new SecureRandom(); BigInteger p = new BigInteger(nbits, 100, r); n = p.multiply(q); phi = p.subtract(BigInteger.ONE) .multiply(q.subtract(BigInteger.ONE)); Sriram Srinivasan

  42. RSA Implementation • Select e coprime to f(n) • Select d, such that ed º 1 (mod f(n)) e = new BigInteger("3"); while(phi.gcd(e).intValue() > 1) e = e.add(new BigInteger("2")); d = e.modInverse(phi); Sriram Srinivasan

  43. RSA Implementation • Encrypt/decrypt BigInteger encrypt (BigInteger message) { return message.modPow(e, n); } BigInteger decrypt (BigInteger message) { return message.modPow(d, n); } Sriram Srinivasan

  44. Digital Signature • med (mod n) = mde (mod n) • Bob encrypts his name using private key • Alice, the recipient, decrypts it using Bob’s public key Sriram Srinivasan

  45. RSA Deployment • If msg m > n, m chop it up in blocks < n • p and q are usually 512 bits, e = 65537. • Ensure p - 1 doesn’t have small prime factors. Ensure d is large • Pad m with random bits • Never reuse n • Sign documents very carefully Sriram Srinivasan

  46. Examples of RSA Attacks • Exploiting algorithm parameter values • Low e or d values • Exploiting implementation • Measuring time and power consumption of smart cards • Exploiting random errors in hardware • Exploiting error messages • Social Engineering: Blinding attack Sriram Srinivasan

  47. Ellis / Diffie-Hellman Key Exchange • RSA is slow in practice • Encrypt AES’s keys using RSA • Alice and Bob agree publicly on a prime p, and some integer, c < p. gcd(p,c) = 1 • Alice chooses a privately, and Bob chooses b. a, b < p Sriram Srinivasan

  48. Ellis / Diffie-Hellman Key Exchange (contd) • Alice computes A=ca (mod p). Bob computes B=cb (mod p) • They exchange these numbers. • Alice computes Ba. Bob computes Ab • Both of them compute cab (mod p) • Both use this number as a key for AES. Sriram Srinivasan

  49. References • “Cryptological Mathematics”, Robert Lewand • “Twenty Years of Attacks on the RSA Cryptosystem”, Dan Boneh • http://crypto.stanford.edu/~dabo • pajhome.org.uk/crypt/index.html • “Concrete Mathematics”, Donald Knuth et al. • "The Code Book", Simon Singh Sriram Srinivasan

More Related